|
Email-derived URL path injection in the Swoosh Microsoft Graph adapter
|
pkg:hex/swoosh
pkg:github/swoosh/swoosh
|
CVE-2026-54893
|
06 July 2026 |
07 July 2026 |
|
mint buffers an entire chunked response chunk in memory in Mint.HTTP1.decode_body/5
|
pkg:hex/mint
pkg:github/elixir-mint/mint
|
CVE-2026-56810
|
06 July 2026 |
07 July 2026 |
|
Unauthenticated denial-of-service via unbounded HPACK integer decoding in hpax
|
pkg:hex/hpax
pkg:github/elixir-mint/hpax
|
CVE-2026-58226
|
06 July 2026 |
06 July 2026 |
|
Plaintext APPLICATION_DATA injected during TLS handshake delivered to client application post-handshake in ssl
|
pkg:otp/ssl
pkg:github/erlang/otp
|
CVE-2026-54891
|
02 July 2026 |
03 July 2026 |
|
DTLS listener crash via race condition in dtls_packet_demux causes denial of service for all sessions
|
pkg:otp/ssl
pkg:github/erlang/otp
|
CVE-2026-55950
|
02 July 2026 |
03 July 2026 |
|
SSH SFTP server denial of service via extended channel data infinite loop
|
pkg:otp/ssh
pkg:github/erlang/otp
|
CVE-2026-54886
|
02 July 2026 |
03 July 2026 |
|
TLS 1.3 server denial of service via malformed ClientHello pre-shared key extension
|
pkg:otp/ssl
pkg:github/erlang/otp
|
CVE-2026-55952
|
02 July 2026 |
03 July 2026 |
|
DTLS server cookie bypass during startup window due to empty initial cookie secret
|
pkg:otp/ssl
pkg:github/erlang/otp
|
CVE-2026-54887
|
02 July 2026 |
03 July 2026 |
|
SFTP REALPATH path-existence oracle allowing filesystem enumeration outside configured root
|
pkg:otp/ssh
pkg:github/erlang/otp
|
CVE-2026-53422
|
02 July 2026 |
03 July 2026 |
|
Atom-table exhaustion denial-of-service via JSON parse_document in MDEx
|
pkg:hex/mdex
pkg:github/leandrocp/mdex
|
CVE-2026-53426
|
29 June 2026 |
30 June 2026 |
|
Unsanitized URL schemes in MDEx Quill Delta output allow javascript: injection (XSS)
|
pkg:hex/mdex
pkg:github/leandrocp/mdex
|
CVE-2026-54889
|
29 June 2026 |
30 June 2026 |
|
Uncontrolled recursion over deeply nested Markdown crashes the BEAM in mdex
|
pkg:hex/mdex
pkg:github/leandrocp/mdex
pkg:hex/mdex_native
pkg:github/leandrocp/mdex_native
|
CVE-2026-54888
|
29 June 2026 |
30 June 2026 |
|
Unbounded native memory leak in mdex escaped-tag rendering enables unauthenticated denial of service
|
pkg:hex/mdex
pkg:github/leandrocp/mdex
pkg:hex/mdex_native
pkg:github/leandrocp/mdex_native
|
CVE-2026-53429
|
29 June 2026 |
30 June 2026 |
|
Unbounded memory allocation in highlight_lines range expansion in mdex
|
pkg:hex/mdex
pkg:github/leandrocp/mdex
pkg:hex/mdex_native
pkg:github/leandrocp/mdex_native
|
CVE-2026-53428
|
29 June 2026 |
30 June 2026 |
|
Cross-site scripting in MDEx via unescaped highlight_lines_class code-fence attribute
|
pkg:hex/mdex
pkg:github/leandrocp/mdex
pkg:hex/mdex_native
pkg:github/leandrocp/mdex_native
|
CVE-2026-53427
|
29 June 2026 |
30 June 2026 |
|
Private action arguments can be set by user input in Ash
|
pkg:hex/ash
pkg:github/ash-project/ash
|
CVE-2026-55736
|
23 June 2026 |
23 June 2026 |
|
Plug: quadratic-time decoding of nested query/body parameters enables denial of service
|
pkg:hex/plug
pkg:github/elixir-plug/plug
|
CVE-2026-54892
|
23 June 2026 |
23 June 2026 |
|
Stored XSS via unescaped HTML attribute values in earmark
|
pkg:hex/earmark
pkg:github/pragdave/earmark
|
CVE-2026-48591
|
17 June 2026 |
18 June 2026 |
|
Remote code execution and denial of service via unsafe Erlang term deserialization in elixir-grpc/grpc
|
pkg:hex/grpc
pkg:github/elixir-grpc/grpc
|
CVE-2026-48853
|
15 June 2026 |
17 June 2026 |
|
grpc gzip decompression bomb in GRPC.Compressor.Gzip.decompress/1
|
pkg:hex/grpc
pkg:github/elixir-grpc/grpc
|
CVE-2026-53430
|
15 June 2026 |
17 June 2026 |
|
Authorization bypass via path binding override in elixir-grpc/grpc HTTP transcoding
|
pkg:hex/grpc
pkg:github/elixir-grpc/grpc
|
CVE-2026-48599
|
15 June 2026 |
17 June 2026 |
|
Unbounded request body accumulation causes memory exhaustion in elixir-grpc/grpc
|
pkg:hex/grpc
pkg:github/elixir-grpc/grpc
|
CVE-2026-48854
|
15 June 2026 |
17 June 2026 |
|
OAuth2/OIDC account takeover in AshAuthentication via email-based user matching
|
pkg:hex/ash_authentication
pkg:github/team-alembic/ash_authentication
|
CVE-2026-49757
|
15 June 2026 |
15 June 2026 |
|
Unauthenticated denial-of-service via BEAM atom table exhaustion in membrane_mp4_plugin
|
pkg:hex/membrane_mp4_plugin
pkg:github/membraneframework/membrane_mp4_plugin
|
CVE-2026-53423
|
11 June 2026 |
12 June 2026 |
|
httpc leaks Authorization header to cross-origin redirect targets
|
pkg:otp/inets
pkg:github/erlang/otp
|
CVE-2026-48856
|
10 June 2026 |
11 June 2026 |
|
Distribution-over-TLS LAN allowlist silently bypassed due to sockname/peername confusion in inet_tls_dist
|
pkg:otp/ssl
pkg:github/erlang/otp
|
CVE-2026-48860
|
10 June 2026 |
11 June 2026 |
|
SFTP READLINK Leaks Absolute Backend Filesystem Path When Root Is Configured
|
pkg:otp/ssh
pkg:github/erlang/otp
|
CVE-2026-48855
|
10 June 2026 |
11 June 2026 |
|
ftp client PASV response IP not validated against control peer, enabling SSRF and FTP bounce attacks
|
pkg:otp/inets
pkg:otp/ftp
pkg:github/erlang/otp
|
CVE-2026-48858
|
10 June 2026 |
11 June 2026 |
|
SSH server timing side-channel in ssh_auth:check_password/3 allows unauthenticated username enumeration
|
pkg:otp/ssh
pkg:github/erlang/otp
|
CVE-2026-48859
|
10 June 2026 |
11 June 2026 |
|
Stack buffer overflow in SCTP error cause parsing in inet_drv allows remote VM crash
|
pkg:otp/erts
pkg:github/erlang/otp
|
CVE-2026-49759
|
10 June 2026 |
01 July 2026 |
|
Stack Buffer Overflow in ei_s_print_term at Very Large Integer
|
pkg:otp/erl_interface
pkg:github/erlang/otp
|
CVE-2026-49760
|
10 June 2026 |
11 June 2026 |
|
Unbounded integer parsing in the Version module enables CPU and memory exhaustion denial of service
|
pkg:otp/elixir
pkg:github/elixir-lang/elixir
|
CVE-2026-49762
|
09 June 2026 |
10 June 2026 |
|
HTTP Response Splitting via Non-VCHAR Bytes in cow_http_struct_hd:escape_string/2
|
pkg:hex/cowlib
pkg:github/ninenines/cowlib
|
CVE-2026-43966
|
08 June 2026 |
09 June 2026 |
|
Decompression bomb DoS in Req via auto-decoded archive and compressed response bodies
|
pkg:hex/req
pkg:github/wojtekmach/req
|
CVE-2026-49755
|
08 June 2026 |
08 June 2026 |
|
Multipart form-data header injection in Req via unescaped name/filename/content_type
|
pkg:hex/req
pkg:github/wojtekmach/req
|
CVE-2026-49756
|
08 June 2026 |
08 June 2026 |
|
gun HTTP/1.1 response buffer has no size limit allowing server-controlled memory exhaustion
|
pkg:hex/gun
pkg:github/ninenines/gun
|
CVE-2026-43973
|
08 June 2026 |
08 June 2026 |
|
gun HTTP/2 PUSH_PROMISE authority not validated against connection origin allows cross-origin cookie injection
|
pkg:hex/gun
pkg:github/ninenines/gun
|
CVE-2026-43972
|
08 June 2026 |
08 June 2026 |
|
gun HTTP/1.1 client accepts unsolicited 101 Switching Protocols response allowing server-driven protocol hijack and OOM
|
pkg:hex/gun
pkg:github/ninenines/gun
|
CVE-2026-43974
|
08 June 2026 |
08 June 2026 |
|
CRLF injection in Tesla.Multipart.add_content_type_param/2 allows HTTP header injection
|
pkg:hex/tesla
pkg:github/elixir-tesla/tesla
|
CVE-2026-48596
|
02 June 2026 |
04 June 2026 |
|
Decompression bomb in Tesla.Middleware.DecompressResponse and Tesla.Middleware.Compression
|
pkg:hex/tesla
pkg:github/elixir-tesla/tesla
|
CVE-2026-48594
|
02 June 2026 |
04 June 2026 |
|
Authorization header leaks to third-party origin on cross-origin redirect in Tesla.Middleware.FollowRedirects
|
pkg:hex/tesla
pkg:github/elixir-tesla/tesla
|
CVE-2026-48595
|
02 June 2026 |
04 June 2026 |
|
Atom table exhaustion via untrusted URL scheme in Tesla.Adapter.Mint
|
pkg:hex/tesla
pkg:github/elixir-tesla/tesla
|
CVE-2026-48597
|
02 June 2026 |
04 June 2026 |
|
CRLF injection in Tesla.Multipart disposition parameters allows multipart part header injection
|
pkg:hex/tesla
pkg:github/elixir-tesla/tesla
|
CVE-2026-48598
|
02 June 2026 |
04 June 2026 |
|
HTTP response smuggling in Mint HTTP/1 client via lenient Content-Length parsing
|
pkg:hex/mint
pkg:github/elixir-mint/mint
|
CVE-2026-49753
|
02 June 2026 |
02 June 2026 |
|
HTTP/2 CONTINUATION flood in Mint client via unbounded header-block accumulation
|
pkg:hex/mint
pkg:github/elixir-mint/mint
|
CVE-2026-49754
|
02 June 2026 |
02 June 2026 |
|
Unbounded conn.streams growth in Mint HTTP/2 client via unenforced PUSH_PROMISE concurrency
|
pkg:hex/mint
pkg:github/elixir-mint/mint
|
CVE-2026-48862
|
02 June 2026 |
02 June 2026 |
|
CRLF injection in HTTP/1 request line via unvalidated method in Mint
|
pkg:hex/mint
pkg:github/elixir-mint/mint
|
CVE-2026-48861
|
02 June 2026 |
02 June 2026 |
|
Symlink Following in Hex Package Export Allows Embedding Files Outside Project Root
|
pkg:sid/gleam.run/gleam
pkg:github/gleam-lang/gleam
pkg:oci/gleam
|
CVE-2026-42795
|
02 June 2026 |
02 June 2026 |
|
Path Traversal in gleam docs build via documentation.pages Allows Arbitrary File Read and Write
|
pkg:sid/gleam.run/gleam
pkg:github/gleam-lang/gleam
pkg:oci/gleam
|
CVE-2026-32685
|
02 June 2026 |
02 June 2026 |
|
Path Traversal in build/packages/packages.toml Allows Arbitrary Directory Deletion
|
pkg:sid/gleam.run/gleam
pkg:github/gleam-lang/gleam
pkg:oci/gleam
|
CVE-2026-43965
|
02 June 2026 |
02 June 2026 |
|
ex_aws_sns SigningCertURL not validated in verify_message/1
|
pkg:hex/ex_aws_sns
pkg:github/ex-aws/ex_aws_sns
|
CVE-2026-47074
|
28 May 2026 |
29 May 2026 |
|
nameConstraints DNS bypass via subject CommonName fallback in public_key hostname verification
|
pkg:otp/public_key
pkg:github/erlang/otp
|
CVE-2026-42790
|
27 May 2026 |
01 July 2026 |
|
OCSP responder certificate validity period not checked in public_key
|
pkg:otp/public_key
pkg:github/erlang/otp
|
CVE-2026-42791
|
27 May 2026 |
27 May 2026 |
|
Non-CA certificate accepted as intermediate issuer in public_key path validation
|
pkg:otp/public_key
pkg:github/erlang/otp
|
CVE-2026-42789
|
27 May 2026 |
01 July 2026 |
|
Missing authorization check on save-job event handler in oban_web
|
pkg:hex/oban_web
pkg:github/oban-bg/oban_web
|
CVE-2026-48592
|
26 May 2026 |
27 May 2026 |
|
Unbounded range expansion in cron describe causes memory exhaustion in oban_web
|
pkg:hex/oban_web
pkg:github/oban-bg/oban_web
|
CVE-2026-48593
|
26 May 2026 |
27 May 2026 |
|
Unbounded memory consumption in WebSocket client in hackney
|
pkg:hex/hackney
pkg:github/benoitc/hackney
|
CVE-2026-47073
|
25 May 2026 |
27 May 2026 |
|
Atom table exhaustion via unrecognized URL schemes in hackney
|
pkg:hex/hackney
pkg:github/benoitc/hackney
|
CVE-2026-47067
|
25 May 2026 |
27 May 2026 |
|
CRLF injection in WebSocket upgrade request in hackney
|
pkg:hex/hackney
pkg:github/benoitc/hackney
|
CVE-2026-47072
|
25 May 2026 |
27 May 2026 |
|
SSRF allowlist bypass via percent-encoded host in hackney
|
pkg:hex/hackney
pkg:github/benoitc/hackney
|
CVE-2026-47076
|
25 May 2026 |
27 May 2026 |
|
HTTP/3 redirect handler leaks Authorization and Cookie headers to cross-origin redirect target in hackney
|
pkg:hex/hackney
pkg:github/benoitc/hackney
|
CVE-2026-47070
|
25 May 2026 |
27 May 2026 |
|
CR/LF injection in query parameter in hackney
|
pkg:hex/hackney
pkg:github/benoitc/hackney
|
CVE-2026-47075
|
25 May 2026 |
27 May 2026 |
|
Unbounded body accumulation in HTTP/3 response loop in hackney
|
pkg:hex/hackney
pkg:github/benoitc/hackney
|
CVE-2026-47077
|
25 May 2026 |
27 May 2026 |
|
SOCKS5 TLS upgrade ignores caller timeout in hackney
|
pkg:hex/hackney
pkg:github/benoitc/hackney
|
CVE-2026-47071
|
25 May 2026 |
27 May 2026 |
|
Infinite loop in Alt-Svc header parser in hackney
|
pkg:hex/hackney
pkg:github/benoitc/hackney
|
CVE-2026-47066
|
25 May 2026 |
27 May 2026 |
|
CRLF injection in cookie domain/path options in hackney
|
pkg:hex/hackney
pkg:github/benoitc/hackney
|
CVE-2026-47069
|
25 May 2026 |
27 May 2026 |
|
Cross-session PubSub topic injection via URL parameter in phoenix_storybook
|
pkg:hex/phoenix_storybook
pkg:github/phenixdigital/phoenix_storybook
|
CVE-2026-47068
|
20 May 2026 |
27 May 2026 |
|
Unauthenticated remote code execution via HEEx template injection in phoenix_storybook playground
|
pkg:hex/phoenix_storybook
pkg:github/phenixdigital/phoenix_storybook
|
CVE-2026-8467
|
20 May 2026 |
27 May 2026 |
|
Unauthenticated denial-of-service via BEAM atom table exhaustion in phoenix_storybook
|
pkg:hex/phoenix_storybook
pkg:github/phenixdigital/phoenix_storybook
|
CVE-2026-8469
|
20 May 2026 |
27 May 2026 |
|
Unbounded buffer accumulation in multipart header parsing causes denial of service in plug
|
pkg:hex/plug
pkg:github/elixir-plug/plug
|
CVE-2026-8468
|
14 May 2026 |
27 May 2026 |
|
Decompression Bomb in cow_spdy:inflate/2 Allows Memory Exhaustion via Crafted SPDY Frame
|
pkg:hex/cowlib
pkg:github/ninenines/cowlib
|
CVE-2026-43970
|
13 May 2026 |
15 May 2026 |
|
Unbounded buffer accumulation in multipart header parsing causes denial of service in cowboy
|
pkg:hex/cowboy
pkg:github/ninenines/cowboy
|
CVE-2026-8466
|
13 May 2026 |
14 May 2026 |
|
HTTP/1 chunked decoder infinite loop on requests with trailer fields in bandit
|
pkg:hex/bandit
pkg:github/mtrudel/bandit
|
CVE-2026-39806
|
13 May 2026 |
27 May 2026 |
|
HTTP/1 chunked body reader ignores length cap in bandit
|
pkg:hex/bandit
pkg:github/mtrudel/bandit
|
CVE-2026-39803
|
13 May 2026 |
27 May 2026 |
|
SQL injection via channel name in Postgrex.Notifications.listen/3 and unlisten/3
|
pkg:hex/postgrex
pkg:github/elixir-ecto/postgrex
|
CVE-2026-32687
|
12 May 2026 |
26 May 2026 |
|
CR Injection in SSE Encoder Enables Event Splitting via cow_sse:event/1
|
pkg:hex/cowlib
pkg:github/ninenines/cowlib
|
CVE-2026-43968
|
11 May 2026 |
12 May 2026 |
|
Unbounded chunk-size hex digits in cowlib cause quadratic CPU and memory DoS
|
pkg:hex/cowlib
pkg:github/ninenines/cowlib
|
CVE-2026-7790
|
11 May 2026 |
26 May 2026 |
|
Cookie Request Header Injection via Unvalidated Encoder in cow_cookie:cookie/1
|
pkg:hex/cowlib
pkg:github/ninenines/cowlib
|
CVE-2026-43969
|
11 May 2026 |
12 May 2026 |
|
Atom table exhaustion via attacker-controlled GraphQL SDL names in absinthe
|
pkg:hex/absinthe
pkg:github/absinthe-graphql/absinthe
|
CVE-2026-42793
|
08 May 2026 |
09 May 2026 |
|
Reflected XSS via backslash bypass in GraphiQL js_escape in absinthe_plug
|
pkg:hex/absinthe_plug
pkg:github/absinthe-graphql/absinthe_plug
|
CVE-2026-42794
|
08 May 2026 |
16 May 2026 |
|
Quadratic fragment-name uniqueness check causes denial of service in absinthe
|
pkg:hex/absinthe
pkg:github/absinthe-graphql/absinthe
|
CVE-2026-43967
|
08 May 2026 |
09 May 2026 |
|
Unbounded exponent in decimal enables unauthenticated DoS
|
pkg:hex/decimal
pkg:github/ericmj/decimal
|
CVE-2026-32686
|
07 May 2026 |
27 May 2026 |
|
Long-poll NDJSON body splitting causes unbounded memory allocation in Phoenix
|
pkg:hex/phoenix
pkg:github/phoenixframework/phoenix
|
CVE-2026-32689
|
05 May 2026 |
07 May 2026 |
|
CL.CL HTTP request smuggling via duplicate Content-Length in bandit
|
pkg:hex/bandit
pkg:github/mtrudel/bandit
|
CVE-2026-39805
|
01 May 2026 |
27 May 2026 |
|
WebSocket permessage-deflate inflate has no output-size cap in bandit
|
pkg:hex/bandit
pkg:github/mtrudel/bandit
|
CVE-2026-39804
|
01 May 2026 |
27 May 2026 |
|
Client-supplied URI scheme trusted without transport verification in bandit
|
pkg:hex/bandit
pkg:github/mtrudel/bandit
|
CVE-2026-39807
|
01 May 2026 |
27 May 2026 |
|
WebSocket fragmented message reassembly unbounded in bandit
|
pkg:hex/bandit
pkg:github/mtrudel/bandit
|
CVE-2026-42786
|
01 May 2026 |
27 May 2026 |
|
HTTP/2 frame size limit checked after body is buffered in bandit
|
pkg:hex/bandit
pkg:github/mtrudel/bandit
|
CVE-2026-42788
|
01 May 2026 |
27 May 2026 |
|
Lockfile checksums not verified in Hex allows dependency integrity bypass
|
pkg:otp/hex
pkg:github/hexpm/hex
|
CVE-2026-32148
|
30 April 2026 |
01 May 2026 |
|
Atom table exhaustion via HTTP/2 :scheme pseudo-header in plug_cowboy
|
pkg:hex/plug_cowboy
pkg:github/elixir-plug/plug_cowboy
|
CVE-2026-32688
|
27 April 2026 |
29 April 2026 |
|
SFTP chroot bypass via path traversal in SSH_FXP_FSETSTAT
|
pkg:otp/ssh
pkg:github/erlang/otp
|
CVE-2026-32147
|
21 April 2026 |
10 June 2026 |
|
Improper Path Validation in Git Dependency Handling Allows Arbitrary File System Modification
|
pkg:sid/gleam.run/gleam
pkg:github/gleam-lang/gleam
pkg:oci/gleam
|
CVE-2026-32146
|
11 April 2026 |
01 July 2026 |
|
ScriptAlias CGI targets bypass directory auth in inets httpd (mod_auth vs mod_cgi path mismatch)
|
pkg:otp/inets
pkg:github/erlang/otp
|
CVE-2026-28808
|
07 April 2026 |
01 July 2026 |
|
OCSP designated-responder authorization bypass via missing signature verification
|
pkg:otp/public_key
pkg:otp/ssl
pkg:github/erlang/otp
|
CVE-2026-32144
|
07 April 2026 |
01 July 2026 |
|
Predictable DNS Transaction IDs Enable Cache Poisoning in Built-in Resolver
|
pkg:otp/kernel
pkg:github/erlang/otp
|
CVE-2026-28810
|
07 April 2026 |
27 May 2026 |
|
Multipart form body parser bypasses body size limits in wisp
|
pkg:hex/wisp
pkg:github/gleam-wisp/wisp
|
CVE-2026-32145
|
02 April 2026 |
07 April 2026 |
|
XXE in esaml SAML library allows local file read and potential SSRF
|
pkg:hex/esaml
pkg:github/arekinath/esaml
pkg:github/handnot2/esaml
pkg:github/dropbox/esaml
pkg:github/Jump-App/esaml
|
CVE-2026-28809
|
23 March 2026 |
27 May 2026 |
|
Denial of Service via Oversized Package Upload
|
pkg:github/hexpm/hexpm
hexpm / hex.pm
|
CVE-2026-23940
|
13 March 2026 |
06 April 2026 |
|
Request smuggling via first-wins Content-Length parsing in inets httpd
|
pkg:otp/inets
pkg:github/erlang/otp
|
CVE-2026-23941
|
13 March 2026 |
27 May 2026 |
|
Pre-auth SSH DoS via unbounded zlib inflate
|
pkg:otp/ssh
pkg:github/erlang/otp
|
CVE-2026-23943
|
13 March 2026 |
10 June 2026 |
|
SFTP root escape via component-agnostic prefix check in ssh_sftpd
|
pkg:otp/ssh
pkg:github/erlang/otp
|
CVE-2026-23942
|
13 March 2026 |
27 May 2026 |
|
Path Traversal in wisp.serve_static allows arbitrary file read
|
pkg:hex/wisp
pkg:github/gleam-wisp/wisp
|
CVE-2026-28807
|
10 March 2026 |
06 April 2026 |
|
Improper authorization in device bulk actions and device update API allows cross-organization device control
|
pkg:otp/nerves_hub
pkg:oci/nerves-hub
pkg:github/nerves-hub/nerves_hub_web
|
CVE-2026-28806
|
10 March 2026 |
27 May 2026 |
|
Password Reset Tokens Do Not Expire
|
pkg:github/hexpm/hexpm
hexpm / hex.pm
|
CVE-2026-21622
|
05 March 2026 |
21 April 2026 |
|
Improper Scope Enforcement in OAuth client_credentials Flow Allows Read-Only API Key to Escalate to Full Access
|
pkg:github/hexpm/hexpm
hexpm / hex.pm
|
CVE-2026-21621
|
05 March 2026 |
06 April 2026 |
|
Unsafe Deserialization of Erlang Terms in hex_core
|
pkg:github/hexpm/hex_core
pkg:hex/hex_core
pkg:github/hexpm/hex
pkg:otp/hex
pkg:github/erlang/rebar3
pkg:otp/rebar3
|
CVE-2026-21619
|
27 February 2026 |
27 May 2026 |
|
Path Traversal in Local File Store Backend
|
|
CVE-2026-23939
|
26 February 2026 |
07 April 2026 |
|
TFTP Path Traversal
|
pkg:github/erlang/otp
pkg:otp/inets
pkg:otp/tftp
|
CVE-2026-21620
|
20 February 2026 |
27 May 2026 |
|
Cross-site scripting (XSS) in OAuth Device Authorization screen
|
pkg:github/hexpm/hexpm
hexpm / hex.pm
|
CVE-2026-21618
|
19 January 2026 |
06 April 2026 |
|
Authorization bypass when bypass policy condition evaluates to true
|
pkg:hex/ash
pkg:github/ash-project/ash
|
CVE-2025-48044
|
17 October 2025 |
27 May 2026 |
|
Bypass and runtime policies that can never pass may be incorrectly applied in filter authorization
|
pkg:hex/ash
pkg:github/ash-project/ash
|
CVE-2025-48043
|
10 October 2025 |
27 May 2026 |
|
SSH_FXP_OPENDIR may Lead to Exhaustion of File Handles
|
pkg:otp/ssh
pkg:github/erlang/otp
|
CVE-2025-48041
|
11 September 2025 |
05 June 2026 |
|
Malicious Key Exchange Messages may Lead to Excessive Resource Consumption
|
pkg:otp/ssh
pkg:github/erlang/otp
|
CVE-2025-48040
|
11 September 2025 |
05 June 2026 |
|
Unverified Paths can Cause Excessive Use of System Resources
|
pkg:otp/ssh
pkg:github/erlang/otp
|
CVE-2025-48039
|
11 September 2025 |
05 June 2026 |
|
Unverified File Handles can Cause Excessive Use of System Resources
|
pkg:otp/ssh
pkg:github/erlang/otp
|
CVE-2025-48038
|
11 September 2025 |
05 June 2026 |
|
Before action hooks may execute in certain scenarios despite a request being forbidden
|
pkg:hex/ash
pkg:github/ash-project/ash
|
CVE-2025-48042
|
07 September 2025 |
27 May 2026 |
|
Missing Session Revocation on Logout in ash_authentication_phoenix
|
pkg:hex/ash_authentication_phoenix
pkg:github/team-alembic/ash_authentication_phoenix
|
CVE-2025-4754
|
17 June 2025 |
27 May 2026 |
|
Absolute path traversal in zip:unzip/1,2
|
pkg:otp/stdlib
pkg:github/erlang/otp
|
CVE-2025-4748
|
16 June 2025 |
27 May 2026 |